looking for suggestions on how to manage user authentication for a laszlo based application.

looking for typical functionality such that there will be a portion of the application which is open to "anonymous" users, but there will also be a portion that is secured to a user who has provided a user name and password.

the anonymous portion can run http, while the secure portion has to be secure via https.

initially, i'm willing to https even the anonymous portion if it is significantly easier to get up and running, although optimally i'd like to have the anonymous portion running http to avoid the additional overhead, and only the secure over https.

obviously the scheme has to prevent one user from impersonating another user when invoking actions within the secure portion of the application.

one thing i do , and this is server side , where it should be anywais .

I normally set a data object representing the user into the http session . Each time a restricted request has to take place , the first thing that server side does , is get the user object from the session . if this object is not available , redirect to login , if it is available you can run further permission checks on it .

You should of course , remove it from session , once the user requests logout .

hope this helps

How did you do that? Servlets?

If so, how did you make it communicate with Laszlo?

Is there any place where I could see a simple code example of that?

Thanks.

laszlo seems to prefer xml data structures . these are very easy to build with jsp / servlets .

basically you code jsp's that instead of building dynamic html content they build an xml tree that describes a certain piece of data then you put that behind a datasource in laszlo .